aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRafal Krypa <r.krypa@samsung.com>2012-07-11 11:49:30 -0400
committerCasey Schaufler <casey@schaufler-ca.com>2012-09-18 12:50:52 -0400
commit449543b0436a9146b855aad39eab76ae4853e88d (patch)
tree1b430fec0506e78929cfd944972d7dd49d0f76fd
parentc00bedb368ae02a066aed8a888afc286c1df2e60 (diff)
Smack: implement revoking all rules for a subject label
Add /smack/revoke-subject special file. Writing a SMACK label to this file will set the access to '-' for all access rules with that subject label. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
-rw-r--r--Documentation/security/Smack.txt3
-rw-r--r--security/smack/smackfs.c75
2 files changed, 78 insertions, 0 deletions
diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt
index a416479b8a1c..e68536d85680 100644
--- a/Documentation/security/Smack.txt
+++ b/Documentation/security/Smack.txt
@@ -194,6 +194,9 @@ onlycap
194 these capabilities are effective at for processes with any 194 these capabilities are effective at for processes with any
195 label. The value is set by writing the desired label to the 195 label. The value is set by writing the desired label to the
196 file or cleared by writing "-" to the file. 196 file or cleared by writing "-" to the file.
197revoke-subject
198 Writing a Smack label here sets the access to '-' for all access
199 rules with that subject label.
197 200
198You can add access rules in /etc/smack/accesses. They take the form: 201You can add access rules in /etc/smack/accesses. They take the form:
199 202
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index b1b768e4049a..99929a50093a 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -49,6 +49,7 @@ enum smk_inos {
49 SMK_LOAD_SELF2 = 15, /* load task specific rules with long labels */ 49 SMK_LOAD_SELF2 = 15, /* load task specific rules with long labels */
50 SMK_ACCESS2 = 16, /* make an access check with long labels */ 50 SMK_ACCESS2 = 16, /* make an access check with long labels */
51 SMK_CIPSO2 = 17, /* load long label -> CIPSO mapping */ 51 SMK_CIPSO2 = 17, /* load long label -> CIPSO mapping */
52 SMK_REVOKE_SUBJ = 18, /* set rules with subject label to '-' */
52}; 53};
53 54
54/* 55/*
@@ -1992,6 +1993,77 @@ static const struct file_operations smk_access2_ops = {
1992}; 1993};
1993 1994
1994/** 1995/**
1996 * smk_write_revoke_subj - write() for /smack/revoke-subject
1997 * @file: file pointer
1998 * @buf: data from user space
1999 * @count: bytes sent
2000 * @ppos: where to start - must be 0
2001 */
2002static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
2003 size_t count, loff_t *ppos)
2004{
2005 char *data = NULL;
2006 const char *cp = NULL;
2007 struct smack_known *skp;
2008 struct smack_rule *sp;
2009 struct list_head *rule_list;
2010 struct mutex *rule_lock;
2011 int rc = count;
2012
2013 if (*ppos != 0)
2014 return -EINVAL;
2015
2016 if (!smack_privileged(CAP_MAC_ADMIN))
2017 return -EPERM;
2018
2019 if (count == 0 || count > SMK_LONGLABEL)
2020 return -EINVAL;
2021
2022 data = kzalloc(count, GFP_KERNEL);
2023 if (data == NULL)
2024 return -ENOMEM;
2025
2026 if (copy_from_user(data, buf, count) != 0) {
2027 rc = -EFAULT;
2028 goto free_out;
2029 }
2030
2031 cp = smk_parse_smack(data, count);
2032 if (cp == NULL) {
2033 rc = -EINVAL;
2034 goto free_out;
2035 }
2036
2037 skp = smk_find_entry(cp);
2038 if (skp == NULL) {
2039 rc = -EINVAL;
2040 goto free_out;
2041 }
2042
2043 rule_list = &skp->smk_rules;
2044 rule_lock = &skp->smk_rules_lock;
2045
2046 mutex_lock(rule_lock);
2047
2048 list_for_each_entry_rcu(sp, rule_list, list)
2049 sp->smk_access = 0;
2050
2051 mutex_unlock(rule_lock);
2052
2053free_out:
2054 kfree(data);
2055 kfree(cp);
2056 return rc;
2057}
2058
2059static const struct file_operations smk_revoke_subj_ops = {
2060 .write = smk_write_revoke_subj,
2061 .read = simple_transaction_read,
2062 .release = simple_transaction_release,
2063 .llseek = generic_file_llseek,
2064};
2065
2066/**
1995 * smk_fill_super - fill the /smackfs superblock 2067 * smk_fill_super - fill the /smackfs superblock
1996 * @sb: the empty superblock 2068 * @sb: the empty superblock
1997 * @data: unused 2069 * @data: unused
@@ -2037,6 +2109,9 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
2037 "access2", &smk_access2_ops, S_IRUGO|S_IWUGO}, 2109 "access2", &smk_access2_ops, S_IRUGO|S_IWUGO},
2038 [SMK_CIPSO2] = { 2110 [SMK_CIPSO2] = {
2039 "cipso2", &smk_cipso2_ops, S_IRUGO|S_IWUSR}, 2111 "cipso2", &smk_cipso2_ops, S_IRUGO|S_IWUSR},
2112 [SMK_REVOKE_SUBJ] = {
2113 "revoke-subject", &smk_revoke_subj_ops,
2114 S_IRUGO|S_IWUSR},
2040 /* last one */ 2115 /* last one */
2041 {""} 2116 {""}
2042 }; 2117 };